______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: horde/imp cross scripting vulnerabilities Advisory number: CSSA-2002-016.0 Issue date: 2002 April 16 Cross reference: ______________________________________________________________________________ 1. Problem Description There are some potential cross-site scripting (CSS) attacks in the imp and horde programs. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to horde-1.2.8-1.i386.rpm prior to horde-1.2.8-1.src.rpm prior to imp-2.2.8-1.i386.rpm prior to imp-2.2.8-1.src.rpm OpenLinux 3.1 Server prior to horde-1.2.8-1.i386.rpm prior to horde-1.2.8-1.src.rpm prior to imp-2.2.8-1.i386.rpm prior to imp-2.2.8-1.src.rpm 3. Solution The proper solution is to install the latest packages. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS 4.2 Packages f52d7821dcbefafc220a479a34f359a7 horde-1.2.8-1.i386.rpm 7dec82815fe2a801b40fd1cc64712f28 imp-2.2.8-1.i386.rpm 4.3 Installation rpm -Fvh horde-1.2.8-1.i386.rpm rpm -Fvh imp-2.2.8-1.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 4.5 Source Packages 2b48821e064674d8b159a3bb1078c619 horde-1.2.8-1.src.rpm 632aa28b3eaf46100fc00a54bd10644a imp-2.2.8-1.src.rpm 5. OpenLinux 3.1 Server 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS 5.2 Packages d479bd6ee5b856a3cf212d3b58ddbd98 horde-1.2.8-1.i386.rpm 836b9bc79c208b36d4e6191dcd60ce0d imp-2.2.8-1.i386.rpm 5.3 Installation rpm -Fvh horde-1.2.8-1.i386.rpm rpm -Fvh imp-2.2.8-1.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 5.5 Source Packages c8031ec50e69ad21a6a20b7885be6eeb horde-1.2.8-1.src.rpm 151403a7a889478485be1733c9fa1bd0 imp-2.2.8-1.src.rpm 6. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr862918, fz520626, erg712017. 7. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 8. Acknowledgements Nuno Loureiro <nuno@eth.pt> discovered and researched this problem. ______________________________________________________________________________